Microsoft issues emergency update for macOS and Linux ASP.NET threat

Microsoft issued an emergency patch for ASP.NET Core to address CVE-2026-40372, a high-severity flaw in Microsoft.AspNetCore.DataProtection (v10.0.0–10.0.6) that can let unauthenticated attackers forge authentication payloads during HMAC validation and gain SYSTEM-level privileges on Linux and macOS applications; tokens or credentials created during the vulnerable period remain valid after updating unless the DataProtection key ring is rotated.